*** How To Win (with a twist) ***
The first one to publish each broken password gets points according to the table below but at the same time helps the others since the password is the salt of the next hash. So you have to decide -- should you publish your cracked password and collect your points before the others or should you keep it a secret to get a head start cracking the next one?

To collect points for a password you must be the first one to publish that broken password on this sla.ckers.org thread. Please send an email to john.wilander@owasp.org at the same time so we can correct any misunderstandings. For instance we can happen to run into hash collisions, where someone finds another mixed alpha password of max 5 characters that concatenated with the right salt produces the same hash. In such a case we will publish the real password and give points to the one who found the collision.

The one with the most points on March 21st wins a free ticket to the conference!

*** The Hashes ***
Each password comprises of a-zA-Z (mixed alpha) and is max 5 characters long. With salt that means max 10 mixed alpha characters as input to the hash function. All hashes here are in hex format. The Java source code has all the details. The plus operator means string concatenation.

Example: Given that pwd1 is "Win" and pwd2 is "You", the hash 16189F5462BF906E9D88CF6F152DE86F is the result of MD2("YouWin"). Now pwd2 will be the salt when you crack pwd3.

*** The Source Code ***
The source code we've used to produce the hashes is available here (http://www.owasp.org/images/7/79/OwapsAppSecResearch2010HashChallenge.zip). It's Java and all but the LM hash is done with Bouncy Castle 1.4.5 (http://www.bouncycastle.org/latest_releases.html).

lol, "The one with the most points on March 21st wins a free ticket to the conference!", less than 24 hours.. but well, 5 alnum chars was kinda-easy.. arbitrary length dictionary words, would have left it open for a week I think..